Google has filled a security hole in the Android Market that would allow the installation of apps onto a user’s device without the user’s consent to the install. The hole even allowed the installation of an app on the user device without having physical access to the Android smartphone or tablet. The hole was in the cross-site scripting or XSS on the Android Market.
The only caveat to exploit the hole was that the user had to be logged into the web store. The exploit was brought to the attention of Google by John Oberheide, a security specialist for Android devices.[via H-online